Pentagon Pauses CMMC Phase 2 to Reassess Costs and Contractor Capacity

The Pentagon has frozen the planned Phase 2 rollout of the Cybersecurity Maturity Model Certification (CMMC), forming a cross‑department Reform Task Force and issuing an RFI to gather feedback as it reviews the program. The halt aims to prevent driving many small and mid‑sized defense vendors out of the defense industrial base, citing costs (SBA data suggesting potential multi‑billion‑dollar annual expenses) and a shortage of assessors (roughly 100 for more than 100,000 DIB companies). Until the review concludes (within about 60 days), enforcement will rely on self‑assessments under NIST 800‑171, with the possibility of further changes, including potential cancellation of CMMC after the pause.
- DOD halts cybersecurity requirements for CMMC Phase 2: ‘The math just simply doesn't math’ DefenseScoop
- Pentagon suspends CMMC phase two requirements, launches review of program Federal News Network
- Pentagon announces ‘immediate suspension’ of CMMC Phase II mandates Breaking Defense
- Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements U.S. Department of War (.gov)
- Pentagon pauses cyber audit rule blamed for supplier exits Reuters
Reading Insights
0
0
6 min
vs 7 min read
92%
1,234 → 104 words
Want the full story? Read the original article
Read on DefenseScoop